Ensuring Software Reliability and Security from Design Through Development

The solution: Synopsys Coverity SAST and Black Duck SCA

“Synopsys Coverity® static analysis security testing (SAST) helps Thales Alenia Space ensure that the software we develop in-house does not include coding defects. We use Coverity to help maintain code quality and to comply with industrial standards such as MISRA and the HIS Metriken set.”

A fast, accurate, and highly scalable static analysis testing solution, Coverity helps Thales Alenia Space development and security teams address security and quality defects early in the software development life cycle (SDLC). It also helps development and security teams track and manage risks and ensure compliance with security and coding standards.

“Coverity is primarily used in our automatic continuous integration pipeline,” said Leclercq. “The pipeline is fully automated to help developers focus on essential tasks. Currently, we serve more than 200 projects and are testing several million lines of code. Any code commit automatically triggers a Coverity analysis.”

“[The flexibility of] Coverity server deployment and licensing allows us to deploy many instances matching the diversity of our environments. Whether a software factory or restricted/confidential environments, Coverity is available to all Thales Alenia Space France employees and projects,” Leclercq said.

Introduced in June 2021, Black Duck® software composition analysis (SCA) is still relatively new at Thales Alenia Space. “Black Duck’s signature scanner’s ability to detect open source components in multiple ways is a unique and useful feature,” said Leclercq. “As with our Coverity deployment, any introduction of a new artifact or when dependencies are modified will trigger a Black Duck scan. We’re currently supporting approximately 100 projects with Black Duck, and expect to reach the same number of projects as our Coverity deployment by the end of 2022.”

The results: Code quality, security, and compliance

“Coverity is a very powerful static analysis tool that can detect issues in almost all kinds of software builds,” Leclercq noted. “For example, cross-compilation—that is, where the build and host machines are not of the same architecture—is used extensively for Thales Space onboard satellite systems. Coverity is very efficient at helping us analyze low-level code such as onboard C code used in flight satellite software.”

“Using Coverity has helped enhance our mandate to ensure code quality and security, as well as to enforce our compliance with SEI-CERT coding standards for C, C++, and Java, and MISRA standards for C. Most importantly, Coverity allows our developers to work on their essential tasks rather than having to allot time to identifying code defects.”

“Being able to detect and manage open source vulnerabilities early in the SDLC helps lower remediation costs,” Leclercq continued. “In addition to vulnerability management, we’ve also found Black Duck very useful in determining the viability of open source projects—that is, ‘is the project we’re using being maintained and updated?’—as well as keeping track of licenses for IP compliance.”

Black Duck SCA has also provided Thales Alenia Space with the means to create and maintain a software Bill of Materials (SBOM) of the open source being used in its code. Visibility into code is an important need—nearly 100% of the aerospace industry’s codebases were found to contain open source, according to the annual “Open Source Security and Risk Analysis” report.

“We’ve also been very appreciative of the support we’ve received from Synopsys,” said Leclercq. “The ongoing support for Coverity over the past few years has been really good. Whenever we’ve had a problem, the Coverity support team has had a solution.”

“Black Duck SCA is still relatively new to us, and we received a lot of help from the Black Duck support team to address some deployment issues we ran into. I’m happy to say Black Duck is now working like clockwork.”

Download the PDF